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Abstract 



We tackle the problem of planning in nondeterministic domains, by presenting a new 
approach to conformant planning. Conformant planning is the problem of finding a se- 
quence of actions that is guaranteed to achieve the goal despite the nondeterminism of the 
domain. Our approach is based on the representation of the planning domain as a finite 
state automaton. Wc use Symbolic Model Checking techniques, in particular Binary Deci- 
sion Diagrams, to compactly represent and efficiently search the automaton. In this paper 
we make the fohowing contributions. First, we present a general planning algorithm for 
conformant planning, which applies to fully nondeterministic domains, with uncertainty in 
the initial condition and in action effects. The algorithm is based on a breadth-first, back- 
ward search, and returns conformant plans of minimal length, if a solution to the planning 
problem exists, otherwise it terminates concluding that the problem admits no conformant 
solution. Second, we provide a symbohc representation of the search space based on Binary 
Decision Diagrams (Bdds), which is the basis for search techniques derived from symbolic 
model checking. The symbolic representation makes it possible to analyze potentially large 
sets of states and transitions in a single computation step, thus providing for an efficient 
implementation. Third, we present Cmbp (Conformant Model Based Planner), an efficient 
implementation of the data structures and algorithm described above, directly based on 
Bdd manipulations, which allows for a compact representation of the search layers and an 
efficient implementation of the search steps. Finally, we present an experimental compar- 
ison of our approach with the state-of-the-art conformant planners Cgp, Qbfplan and 
Gpt. Our analysis includes all the planning problems from the distribution packages of 
these systems, plus other problems defined to stress a number of specific factors. Our ap- 
proach appears to be the most effective: Cmbp is strictly more expressive than Qbfpt.AN 
and Cgp and, in ah the problems where a comparison is possible, Cmbp outperforms its 
competitors, sometimes by orders of magnitude. 

1. Introduction 

In recent years, there has been a growing interest in planning in nondeterministic domains. 
Rejecting some fundamental (and often unrealistic) assumptions of classical planning, do- 
mains are considered where actions can have uncertain effects, exogenous events are possible, 
and the initial state can be only partly specified. The challenge is to find a strong plan, 
that is guaranteed to achieve the goal despite the nondeterminism of the domain, regardless 
of the uncertainty on the initial condition and on the effect of actions. Conditional plan- 
ning (Cassandra, Kaelbling, h Littman, 1994; Weld, Anderson, &: Smith, 1998: Cimatti, 
Roveri, h Traverso, 1998b) tackles this problem by searching for a conditional course of 
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actions, that depends on information that can be gathered at run-time. In certain domains, 
however, run-time information gathering may be too expensive or simply impossible. Con- 
formant planning (Goldman &: Boddy, 1996) is the problem of finding an unconditioned 
course of actions, i.e. a classical plan, that does not depend on run-time information gath- 
ering to guarantee the achievement of the goal. Conformant planning has been recognized 
as a significant problem in Artificial Intelligence since the work by Michie (1974): the Blind 
Robot problem requires to program the activity for a sensorless agent, which can be po- 
sitioned in any location of a given room, so that it will be guaranteed to achieve a given 
goal. Conformant planning can be also seen as a problem of control for a system with 
an unobservable and unknown state, such as a microprocessor at power-up, or a software 
system under black-box testing. 

Because of uncertainty, a plan is associated to potentially many different executions, 
which must be all taken into account in order to guarantee goal achievement. This makes 
conformant planning significantly harder than classical planning (Rintanen, 1999a; De Gia- 
como &: Vardi, 1999). Despite this increased complexity, several approaches to conformant 
planning have been recently proposed, based on (extensions of) the main planning tech- 
niques for classical planning. The most interesting are Cgp (Smith & Weld, 1998) based 
on Graphplan, Qbfplan (Rintanen, 1999a) which extends the SAT-plan approach to 
QBF, and Gpt (Bonet &: Geffner, 2000) which encodes conformant planning as heuristic 
search. In this paper, we propose a new approach to conformant planning, based on Sym- 
bolic Model Checking (McMillan, 1993). Symbolic Model Checking is a formal verification 
technique, which allows one to analyze finite state automata of high complexity, relying on 
symbolic techniques. Binary Decision Diagrams (Bdds) (Bryant, 1986) in particular, for 
the compact representation and efficient search of the automaton. Our approach builds on 
the planning via model checking paradigm presented by Cimatti and his colleagues (1997, 
1998b, 1998a), where finite state automata are used to represent complex, nondeterministic 
planning domains, and planning is based on (extensions of) the basic model checking steps. 
We make the following contributions. 

• First, we present a general algorithm for conformant planning, which applies to any 
nondeterministic domain with uncertain action effects and initial condition, expressed 
as a nondeterministic finite-state automaton. The algorithm performs a breadth-first 
search, exploring plans of increasing length, until a plan is found or no more candidate 
plans are available. The algorithm is complete, i.e. it returns with failure if and only 
if the problem admits no conformant solution. If the problem admits a solution, the 
algorithm returns a conformant plan of minimal length. 

• Second, we provide a symbolic representation of the search space based on Binary 
Decision Diagrams, which allows for the application of search techniques derived from 
symbolic model checking. The symbolic representation makes it possible to analyze 
sets of transitions in a single computation step. These sets can be compactly rep- 
resented and efficiently manipulated despite their potentially large cardinality. This 
way it is possible to overcome the enumerative nature of the other approaches to 
conformant planning, for which the degree of nondeterminism tends to be a limiting 
factor. 
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• Third, we developed Cmbp (Conformant Model Based Planner), which is an efficient 
implementation of the data structures and algorithm described above. Cmbp is de- 
veloped on top of Mbp, the planner based on symbolic model checking techniques 
developed by Cimatti, Roveri and Traveso (1998b, 1998a). Cmbp implements several 
new techniques, directly based on Bdd manipulations, to compact the search layers 
and optimize termination checking. 

• Finally, we provide an experimental evaluation of the state-of-the-art conformant plan- 
ners, comparing Cmbp with Cgp, Qbfplan and Gpt. Because of the difference in 
expressivity, not all the problems which can be tackled by Cmbp can also be repre- 
sented in the other planners. However, for the problems where a direct comparison 
was possible, Cmbp outperforms its competitors. In particular, it features a better 
qualitative behavior, not directly related to the number of initial states and uncertain 
action effects, and more stable with respect to the use of heuristics. 

The paper is structured as follows. In Section 2 we review the representation of (non- 
deterministic) planning domains as finite state automata. In Section 3 we provide the 
intuitions and a formal definition of conformant planning in this setting. In Section 4 we 
present the planning algorithm, and in Section 5 we discuss the symbolic representation 
of the search space, which allows for an efficient implementation. In Section 6 we present 
the Cmbp planner, and in Section 7 we present the experimental results. In Section 8 we 
discuss some further related work. In Section 9 we draw the conclusions and discuss future 
research directions. 

2. Planning Domains as Finite State Automata 

We are interested in complex, nondeterministic planning domains, where actions can have 
preconditions, conditional effects, and uncertain effects, and the initial state can be only 
partly specified. In the rest of this paper, we use a very simple though paradigmatic domain 
for explanatory purposes, a variation of Moore's bomb in the toilet domain (McDermott, 
1987) (from now on called BTUC — BT with Uncertain Clogging). There are two packages, 
and one of them contains an armed bomb. It is possible to dunk either package in the 
toilet (actions Dunki and Dunk-i), provided that the toilet is not clogged. Dunking either 
package has the uncertain effect of clogging the toilet. Furthermore, dunking the package 
containing the bomb has the effect of disarming the bomb. The action Flush has the effect 
of unclogging the toilet. 

We represent such domains as finite state automata. Figure 1 depicts the automaton for 
the BTUC domain. Each state is given a number, and contains all the propositions holding 
in that state. For instance, state 1 represents the state where the bomb is in package 1, is 
not defused, and the toilet is not clogged. Given that there is only one bomb, we write In2 
as an abbreviation for the negation of Ini. Arrows between states depict the transitions of 
the automaton, representing the possible behavior of actions. The transition from state 2 
to state 1 labeled by Flush represents the fact that the action Flush, if executed in state 
2, only has the effect of removing the clogging. The execution of Dunki in state 1, which 
has the uncertain effect of clogging the toilet, is represented by the multiple transitions to 
states 5 and 6. Since there is no transition outgoing from state 2 and labelled by Dunki, 
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Figure 1: The automaton for the BTUC domain 

state 2 does not satisfy the preconditions of action Dunki, i.e. Dunki is not apphcable in 
state 2. 

We formally define nondeterministic planning domains as follows. 

Definition 1 (Planning Domain) A Planning Domain is a 4-tuple V = ("P, 5, 7^), 
where V is the (finite) set of atomic propositions, S C 2^ is the set of states, A is the 
(finite) set of actions, and TZ C S x A x S is the transition relation. 

Intuitively, a proposition is in a state if and only if it holds in that state. In the following 
we assume that a planning domain V is given. We use s, s' and s" to denote states of V, 
and a to denote actions. TZ{s, a, s') holds iff when executing the action a in the state s the 
state s' is a possible outcome. We say that an action a is applicable in s iff there is at least 
one state s' such that Tl{s,a,s') holds. We say that an action a is deterministic in s iff 
there is a unique state s' such that TZ{s, a, s') holds. An action a has an uncertain outcome 
in s if there are at least two distinct states s' and s" such that 7l{s,a,s') and TZ{s,a,s") 
hold. As described by Cimatti and his colleagues (1997), the automaton for a given domain 
can be efficiently built starting from a compact description given in an expressive high level 
action language, for instance ATI (Giunchiglia, Kartha, Sz Lifschitz, 1997). 

3. Conformant Planning 

Conformant planning (Goldman Sz Boddy, 1996) can be described as the problem of finding 
a sequence of actions that is guaranteed to achieve the goal regardless of the nondeterminism 
of the domain. That is, for all possible initial states, and for all uncertain action effects, 
the execution of the plan results in a goal state. 

Consider the following problem for the BTUC domain. Initially, the bomb is armed but 
its position and the status of the toilet are uncertain, i.e. the initial state can be any of the 
states in {1, 2, 3, 4}. The goal is to reach a state where the bomb is defused, and the toilet 
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Figure 2: A conformant solution for the BTUC problem 

is not clogged, i.e. the set of goal states is {5, 7}. A conformant plan solving this problem 
is 

Flush; Dunki ; Flush ; Dunk2; Flush (1) 

Figure 2 outlines the possible executions of the plan, for all possible initial states and 
uncertain action effects. The initial uncertainty lies in the fact that the domain might be 
in any of the states in {1,2,3,4}. The possible initial states of the planning domain are 
collected into a set by a dashed line. We call such a set a belief state. Intuitively, a belief 
state expresses a condition of uncertainty about the domain, by collecting together all the 
states which are indistinguishable from the point of view of an agent reasoning about the 
domain. The first action. Flush, is used to remove the possible clogging. This reduces the 
uncertainty to the belief state {1,3}. Despite the remaining uncertainty (i.e. it is still not 
known in which package the bomb is), action Dunki is now guaranteed to be applicable 
because its precondition is met in both states. Dunki has the effect of defusing the bomb if 
it is contained in package 1, and has the uncertain effect of clogging the toilet. The resulting 
belief state is {3,4,5,6}. The following action. Flush, removes the clogging, reducing the 
uncertainty to the belief state {3,5}, and guarantees the applicability of Dunk2- After 
Dunk2, the bomb is guaranteed to be defused, but the toilet might be clogged again (states 
6 and 8 in the belief state {5, 6, 7, 8}). The final Flush reduces the uncertainty to the belief 
state {5,7}, and guarantees the achievement of the goal. 

In general, in order for a plan to be a conformant solution, no action must be executed 
in states which do not satisfy the preconditions, and any state that can result from the 
execution of the plan (for all the initial states and for all the uncertain action effects) is 
a goal state. The main difficulty in achieving these conditions is that no information is 
(assumed to be) available at run-time. Therefore, at planning time we face the problem of 
reasoning about action execution in a belief state, i.e. under a condition of uncertainty. 

Definition 2 (Action Applicability) Let Ds C S be a Belief State. The action a is 
applicable in Bs iff Bs ^ and a is applicable in every state s G Bs. 
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In order for an action to be applicable in a belief state, we require that its preconditions 
must be guaranteed notwithstanding the uncertainty. In other words, we reject "reckless" 
plans, which take the chance of applying an action without the guarantee of its applicability. 
This choice is strongly motivated in practical domains, where possibly fatal consequences 
can follow from the attempt to apply an action when its preconditions might not be satisfied 
(e.g. starting to fix an electrical device without being sure that it is not powered). The effect 
of action execution from an uncertain condition is defined as follows. 

Definition 3 (Action Image) Let Bs C S be a belief state, and let a be an action appli- 
cable in Bs. The image (also called execution) of a in Bs, written Image[a]{B s) , is defined 
as follows. 

Image[a]{Bs) = {s' \ there exists s € Bs such that TZ{s,a,s')} 

Notice that the image of an action combines the uncertainty in the belief state with the un- 
certainty on the action effects. (Consider for instance that Iniage[Dunki]{{l, 3})={3, 4, 5, 6}.) 
In the following, we write Image[a]{s) instead of Im.age[a]{{s}). 

Plans are elements of A*, i.e. finite sequences of actions. We use e for the 0-length 
plan, TT and p to denote generic plans, and tt; p for plan concatenation. The notions of 
applicability and image generalize to plans as follows. 

Definition 4 (Plan Applicability and Image) Let n G A*, and let Bs C S. n is ap- 
plicable in Bs iff one of the following holds: 

J. TT = e and Bs / 0; 

2. TT = a; p, a is applicable in Bs, and p is applicable in Image[a]{Bs). 
The image (also called execution) of n in Bs, written Image['K]{Bs), is defined as: 

1. Image[e]{Bs) = Bs; 

2. Image[a\'K\{Bs) = Image['K\{Image[Q\{B s)) ; 

A planning problem is formally characterized by the set of initial and goal states. The 
following definition captures the intuitive meaning of conformant plan given above. 

Definition 5 (Conformant Planning) Let V = {V, S, A, TZ) be a planning domain. A 
Planning Problem for V is a triple {T>,I, Q), where % i^X <1S and % ^ Q <Z S. 

The plan n is a conformant plan for (that is, a conformant solution to) the planning 
problem (23, X,^) iff the following conditions hold: 

{i) TT is applicable in I; 

{ii) Image[K]{I) C Q. 

In the following, when clear from the context, we omit the domain from the planning 
problem, and we simply write (I, Q). 
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4. The Conformant Planning Algorithm 

Our conformant planning algorithm is based on the exploration of the space of plans, limiting 
the exploration to plans which are conformant by construction. The algorithm builds Belief 
state-Plan (BsP) pairs of the form {Ds . tt), where Bs is a non-empty belief state and vr 
is a plan. The idea is to use a BsP pair to associate each explored plan with the maximal 
belief state where it is applicable, and from which it is guaranteed to result in goal states. 
The exploration is based on the basic function SPreImage[a]{B s) , that, given a belief state 
Bs and an action a, returns the belief state containing all the states where a is applicable, 
and whose image under a is contained in Bs. 

Definition 6 (Strong Pre-Image) Let / Bs C S be a belief state and let a be an 
action. The strong pre-image of Bs under a, written SPreImage[a]{Bs), is defined as 
follows. 

SPreImage[a](Bs) = {s \ a is applicable in s,and Image[a](s) C Bs} 

If SPreImage[a]{Bs) is not empty, then a is applicable in it, and it is a conformant so- 
lution to the problem {SPreImage[a]{Bs), Bs). Therefore, if the plan tt is a conformant 
solution for the problem {Bs, Q), then the plan a; tt is a conformant solution to the problem 
{SPreImage[a]{B s) , Q). 

Figure 3 depicts the space of BsP pairs built by the algorithm while solving the BTUC 
problem. The levels are built from the goal, on the right, towards the initial states, on the 
left. At level 0, the only BsP pair is ({5,7} . e), composed by the set of goal states indexed 
by the 0-length plan e. (Notice that e is a conformant solution to every problem with goal set 
{5,7} and initial states contained in {5,7}.) The dashed arrows represent the application 
of SPrelmage. At level 1, only the BsP pair ({5,6,7,8} . Flush) is built, since the strong 
pre-image of the belief state for the actions Dunki and Dunk2 is empty. At level 2, there 
are three BsP pairs, with (overlapping) belief states Bs2, Bss and Bs4, indexed, respectively, 
by the length 2 plans Dunki; Flush, Flush: Flush and Dunk2: Flush. (A plan associated 
with a belief state Bsj is a sequence of actions labeling the path from Bsj to Bsq.) Notice 
that Bs3 is equal to Bsi, and therefore deserves no further expansion. The expansion of 
belief states 2 and 4 gives the belief states 5 and 6, both obtained by the strong pre-image 
under Flush, while the strong pre-image under actions Dunki and Dunk2 returns empty 
belief states. The further expansion of Bss results in three belief states. The one resulting 
from the strong pre-image under Flush is not reported, since it is equal to Bss. Belief state 
7 is also equal to Bs2, and deserves no further expansion. Belief state 8 can be obtained by 
expanding both Bss and Bsg. At level 5, the expansion produces Bsio, which contains all 
the initial states. Therefore, both of the corresponding plans are conformant solutions to 
the problem. 

The conformant planning algorithm ConformantPlan is presented in Figure 4. It 
takes as input the planning problem in the form of the set of states X and Q (the domain 
V is assumed to be globally available). The algorithm performs a backwards breadth- first 
search, exploring BsP pairs corresponding to plans of increasing length at each step. The 
status of the search (each level in Figure 3) is represented by a BsP table, i.e. a set of BsP 
pairs 

BsPT={{Bsi . TTi),... ,{BSr, . TT,)} 
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Figure 3: The BsP tables for the BTUC problem 



where the tt^ are plans of the same length, such that tt^ / TTj for all 1 < j^i < n. We 
call Bs-i the belief set indexed by yr-j. When no ambiguity arises, we write BsPT{TTi) for 
Bsi. The array BsPTables is used to store the BsP tables representing the levels of the 
search. The algorithm first checks (line 4) if there are plans of length 0, i.e. if e is a 
solution. If no conformant plan of such length exists {{Plans = 0) in line 4), then the 
while loop is entered. At each iteration, conformant plans of increasing length are explored 
(lines 5 to 8). The step at line 6 expands the BsP table in BsPTahles[i — 1] and stores the 
resulting BsP table in BsPTahles[i\. BsP pairs which are redundant with respect to the 
current search are eliminated from BsPTahles[i\ (line 7). The possible solutions contained 
in BsPTahles[{\ are extracted and stored in Plans (line 8). The loop terminates if either a 
plan is found {Plans / 0), or the space of conformant plans has been completely explored 
{BsPTables[i] = 0). 

The definitions of the basic functions used in the algorithm are reported in Figure 5. 
The function ExpandBsPTable expands the BsP table provided as argument, containing 
conformant plans of length i — 1, and returns a BsP table with conformant plans of length 
i. Each BsP in the input BsP table is expanded by ExpandBsPPair. For each possible 
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function ConformantPlan^Xj^^ 
begin 



1 i = 0; 

2 BsPTablesfO] := { {G ■ e) }; 

3 Plans := ExtractSolution(X, SsPTafe/esp]); 

4 while ((BsPTahles[i] / 0) A {Plans = 0)) do 

5 i := i + 1; 

6 BsPTablesfi] := ExPANDBsPTABLE(BsPTables[i-l]); 

7 BsPTablesfi] := PRUNEBsPTABLE(5sPTa6/es['i], BsPTables, i); 

8 Plans := ExtractSolution(X, 5sPTa6/es[«]); 

9 done 

10 if (BsPTables[i] = $) then 

11 return Fail; 

12 else return Plans; 



13 end 



Figure 4: The conformant planning algorithm. 

action a, the strong pre-image of Bs is computed, and if the resulting belief state Bs' is 
not empty, i.e. there is a belief state from which a guarantees the achievement of Bs, then 
the plan tt is extended with a and {Ds' . a: it) is returned. The expansion of a BsP table 
is the union of the expansions of each BsP pair. The function ExtractSolution takes as 
input a BsP table and returns the (possibly empty) set of plans which index a belief states 
containing I. PruneBsPTable takes as input the BsP table to be pruned, an array of 
previously constructed BsP tables BsPTables, and an index of the current step. It removes 
from the BsP table in the input the plans which are not worth being explored because the 
corresponding belief states have already been visited. 

The algorithm has the following properties. First, it always terminates. This follows 
from the fact that the set of explored belief sets (stored in BsPTables) is monotonically 
increasing — at each step we proceed only if at least one new belief state is generated. 
Because of its finiteness (the set of accumulated belief states is contained in 2'^'' which is 
finite), a fix point is eventually reached. Second, it is correct, i.e. when a plan is returned 
it is a conformant solution to the given problem. The correctness of the algorithm follows 
from the properties of SPrelmage: each plan is associated with a belief state for which it 
is conformant, i.e. where it is guaranteed to be applicable and from which it results in a 
belief state contained in the goal. Third, the algorithm is optimal, i.e. it returns plans of 
minimal length. This property follows from the breadth-first style of the search. Finally, 
the algorithm is able to decide whether a problem admits no solution, returning Fail in such 
cases. Indeed, a conformant solution is always associated with a belief state containing the 
initial states. SPrelmage generates the maximal belief state associated with a conformant 
plan, each new belief state generated in the exploration is compared with the initial states 
to check if it is a solution, and a plan is pruned only if an equivalent plan has already been 
explored. 
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ExpandBsPTable(5sPT) = (J ExpandBsPPair((Ss . tt)) 

{Bs . ■k)gBsPT 

ExpandBsPPair((Ss . tt)) = {{Bs' . a;TT)\ such that Bs' = SPreImage[a]{Bs) / 0} 



PruneBsPTable(5sPT, BsPTables, i) = 

{{Bs . tt) G BsPT I for all j < i, there is no {Bs . tt') G BsPTables[j] such that {Bs' = Bs)} 

ExtractSolution(X, BsPT) = {n \ there exists {Bs . n) G BsPT such that I C Bs} 
Figure 5: The primitives used by the conformant planning algorithm. 
5. Conformant Planning via Symbolic Model Checking 

Model checking is a formal verification technique based on the exploration of finite state 
automata (Clarke, Emerson, Sz Sistla, 1986). Symbolic model checking (McMillan, 1993) is 
a particular form of model checking using Binary Decision Diagrams to compactly represent 
and efficiently analyze finite state automata. The introduction of symbolic techniques into 
model checking led to a breakthrough in the size of model which could be analyzed (Burch 
et al., 1992), and made it possible for model checking to be routinely applied in industry, 
especially in logic circuits design (for a survey see Clarke & Wing, 1996). 

In the rest of this section, we will provide an overview of Binary Decision Diagrams, 
and we will describe the representation of planning domains, based on the BDD-based 
representation of finite state automata used in model checking. Then, we will discuss the 
extension which allows to symbolically represent BsP tables and their transformations, thus 
allowing for an efficient implementation of the algorithm described in the previous section. 

5.1 Binary Decision Diagrams 

A Reduced Ordered Binary Decision Diagram (Bryant, 1992, 1986) (improperly called Bdd) 
is a directed acyclic graph (DAG). The terminal nodes are either True or False. Each non- 
terminal node is associated with a boolean variable, and two Bdds, called left and right 
branches. Figure 6 (a) depicts a Bdd for (ai f-> 6i) A (02 f-> 62) A (03 f-> 63). At each 
non-terminal node, the right [left, respectively] branch is depicted as a solid [dashed, resp.] 
line, and represents the assignment of the value True [False, resp.] to the corresponding 
variable. A Bdd represents a boolean function. For a given truth assignment to the variables 
in the Bdd, the value of the function is determined by traversing the graph from the root 
to the leaves, following each branch indicated by the value assigned to the variables^. The 

1. A path from the root to a leaf can visit nodes associated with a subset of all the variables of the Bdd. 
See for instance the path associated with ai, -161 in Figure 6(a). 
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(a) 



(b) 



Figure 6: Two Bdds for the formula (ai -H- bi) A (02 ^ A (03 -H- 63). 



reached leaf node is labeled with the resulting truth value. If u is a Bdd, its size \v\ is the 
number of its nodes. If n is a node, var{n) indicates the variable indexing node n. 

Bdds are a canonical representation of Boolean functions. The canonicity follows by 
imposing a total order < over the set of variables used to label nodes, such that for any 
node n and respective non-terminal child m, their variables must be ordered, i.e. var{n) < 
var{m), and requiring that the Bdd contains no isomorphic subgraphs. 

Bdds can be combined with the usual boolean transformations (e.g. negation, con- 
junction, disjunction). Given two Bdds, for instance, the conjunction operator builds and 
returns the Bdd corresponding to the conjunction of its arguments. Substitution can also 
be represented as Bdd transformations. In the following, if d is a variable, and $ and 'ip are 
Bdds, we indicate with ^[v/ip] the Bdd resulting from the substitution of w with ip in If 
vi and V2 are vectors of (the same number of) distinct variables, we indicate with $[vi/v2] 
the parallel substitution in $ of the variables in vector vi with the (corresponding) variables 
in V2. 

Bdds also allow for transformations described as quantifications, in the style of Quanti- 
fied Boolean Formulae (QBF). QBF is a definitional extension to prepositional logic, where 
propositional variables can be universally and existentially quantified. In terms of Bdd 
computations, a quantification corresponds to a tranformation mapping the Bdd of $ and 
the variable Vi being quantified into the Bdd of the resulting (propositional) formula. If $ 
is a formula, and Vi is one of its variables, the existential quantification of Vi in written 
^?;.j.$(^^l, . . . , f„), is equivalent to ^{vi, . . . , Vn)[vi/False\ V $(?;i, . . . , Vn)[vi/True\. Analo- 
gously, the universal quantification yvi.^{vi, . . . , Vn) is equivalent to $(f 1, . . . , Vn)[vi/ False]A 
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. . . ,Vn)[vilTrue]. In QBF, quantifiers can be arbitrarily applied and nested. In gen- 
eral, a QBF formula has an equivalent prepositional formula, but the conversion is subject 
to an exponential blow-up. 

The time complexity of the algorithm for computing a truth-functional boolean trans- 
formation /i <op> f2 is 0(|/i| ■ 1/2 1)- As far as quantifications are concerned, the time 
complexity is quadratic in the size of the Bdd being quantified, and linear in the number 
of variables being quantified, i.e. 0(|v| • (Bryant, 1992, 1986). 

Bdd packages are efficient implementations of such data structures and algorithms (Brace 
et al., 1990; Somenzi, 1997; Yang et al., 1998; Coudert et al., 1993). Basically, a Bdd pack- 
age deals with a single multi-rooted DAG, where each node represents a boolean function. 
Memory efficiency is obtained by using a "unique table" , and by sharing common subgraphs 
between Bdds. The unique table is used to guarantee that at each time there are no iso- 
morphic subgraphs and no redundant nodes in the multi-rooted DAG. Before creating a 
new node, the unique table is checked to see if the node is already present, and only if this 
is not the case a new node is created and stored in the unique table. The unique table 
allows to perform the equivalence check between two Bdds in constant time (since two 
equivalent functions always share the same subgraph) (Brace et al., 1990; Somenzi, 1997). 
Time efficiency is obtained by maintaining a "computed table" , which keeps track of the 
results of recently computed transformations, thus avoiding the recomputation. 

A critical computational factor with Bdds is the order of the variables used. (Figure 6 
shows an example of the impact of a change in the variable ordering on the size of a Bdd.) 
For a certain class of boolean functions, the size of the corresponding Bdd is exponential in 
the number of variables for any possible variable ordering (Bryant, 1991). In many practical 
cases, however, finding a good variable ordering is rather easy. Beside affecting the memory 
used to represent a Boolean function, finding a good variable ordering can have a big impact 
on computation times, since the complexity of the transformation algorithms depends on 
the size of the operands. Most Bdd packages provide heuristic algorithms for finding good 
variable orderings, which can be called to try to reduce the overall size of the stored Bdds. 
The reordering algorithms can also be activated dynamically by the package, during a Bdd 
computation, when the total number of nodes in the package reaches a predefined threshold 
(dynamic reoredering) . 

5.2 Symbolic Representation of Planning Domains 

A planning domain ("P, 5, A, TZ) can be represented symbolically using Bdds, as follows. A 
set of (distinct) Bdd variables, called state variables, is devoted to the representation of the 
states S of the domain. Each of these variables has a direct association with a proposition 
of the domain in V used in the description of the domain. For instance, for the BTUC 
domain, each of Jni, Defused and Clogged is associated with a unique Bdd variable. In 
the following we write x for the vector of state variables. Because the particular order is 
irrelevant but for performance issues, in the rest of this section we will not distinguish a 
proposition and the corresponding Bdd variable. 

A state is a set of propositions of V (specifically, the propositions which are intended 
to hold in it). For each state s, there is a corresponding assignment to the state variables 
re, i.e. the assignment where each variable corresponding to a proposition p G s is assigned 
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to True, and each other variable is assigned to False. We represent s with the Bdd ^(s), 
having such an assignment as its unique satisfying assignment. For instance, ^(6) = [Ini A 
Defused A Clogged) is the Bdd representing state 6, while ^(4) = -i/ni A -^Defused A 
Clogged represents state 4, and so on. (Without loss of generality, in the following we do 
not distinguish a propositional formula from the corresponding Bdd.) This representation 
naturally extends to any set of states Q C S as follows: 



In other words, we associate a set of states with the generalized disjunction of the Bdds 
representing each of the states. Notice that the satisfying assignments of the ^(Q) are 
exactly the assignment representations of the states in Q. This representation mechanism 
is very natural. For instance, the Bdd ^(X) representing the the set of initial states of 
the BTUC I = {1,2,3,4} is -^Defused, while for the set of goal states Q = {5,7} the 
corresponding Bdd is Defused A -^Clogged. A Bdd is also used to represent the set S of 
all the states of the domain automaton. In the BTUC, ^(5) = True because 5 = 2^. In a 
different formulation, where two independent propositions Ini and In2 are used to represent 
the position of a bomb, ^(5) would be the Bdd Ini ^ ~^In2- 

In general, a Bdd represents the set of (states which correspond to) its models. As 
a consequence, set theoretic transformations are naturally represented by propositional 
operations, as follows. 



The main efficiency of this symbolic representation lies in the fact that the cardinality 
of the represented set is not directly related to the size of the Bdd. For instance, ^{Q) uses 
two (non-terminal) nodes to represent two states, while ^(X) uses one node to represent four 
states. As limit cases, ^(5) and C({}) are (the leaf Bdds) True and False, respectively. As 
a further advantage, symbolic representation is extremely efficient in dealing with irrelevant 
information. Notice, for instance, that only the variable Defused occurs in ^({5,6,7,8}). 
For this reason, a symbolic representation can have a dramatic improvement over an explicit, 
enumerative representation. This is what allows symbolic, BDD-based model checkers to 
handle finite state automata with a very large number of states (see for instance Burch 
et al., 1992). In the following, we will collapse a set of states and the Bdd representing it. 

Another set of Bdd variables, called action variables, written a, is used to represent 
actions. We use one action variable for each possible action in A. Intuitively, a Bdd action 
variable is true if and only if the corresponding action is being executed. If we assume that 
a sequential encoding is used, i.e. no concurrent actions are allowed, we also use a Bdd, 
Seq(q!), to express that exactly one of the action variables must be true at each time^. For 

2. In the specific case of sequential encoding, an alternative approach using only [log |^|] is possible: an 
assignment to the action variables denotes a specific action to be executed. Two assignments being 
mutually exclusive, the constraint SEQ(a) needs not to be represented. When the cardinality of the 
set of actions is not a power of two, the standard solution is to associate more than one assignment to 
certain values. This optimized solution, which is actually used in the implementation, is not described 
here for the sake of simplicity. 



as\Q) 

^(QiUQ2) 

^(QinQa) 



C(5) A-C(Q) 

^(Qi) VC(Q2) 
aQi)^aQ2) 
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the BTUC problem, where A contains three actions, we use the three Bdd variables Dunki, 
Dunk^ and Flush^ while we express the serial encoding constraint with the following Bdd: 

Seq(q!) = (Dunki y Dunki^ Flush) A-'(Dunki A Dunki) A-'{Dunki A Flush) A-'{Dunk2 A Flush) 

As for state variables, we are referring to Bdd action variables with symbolic names for 
the sake of simplicity. In practice, they will be internally represented as integers, but their 
position in the ordering of the Bdd package is totally irrelevant in logical terms. 

A Bdd in the variables x and a represents a set of state-action pairs, i.e. a relation 
between states and actions. For instance, the applicability relation in the BTUC (i.e., all 
actions are possible in all states, except for dunking actions which require the toilet not 
to be clogged) is represented by the Bdd -^{Clogged A {Dunki V Dunk2))- Notice that it 
represents a set of 16 state-action pairs, each associating a state with an applicable action. 

A transition is a 3-tuple composed of a state (the initial state of the transition), an 
action (the action being executed), and a state (the resulting state of the transition). To 
represent transitions, another vector x' of Bdd variables, called next state variables, is 
allocated in the Bdd package. We write i'{s) for the representation of the state s in the 
next state variables. With ^'(Q) we denote the construction of the Bdd corresponding to 
the set of states Q, using each variable in the next state vector x' instead of each current 
state variables x. We require that |a;| = \x'\, and assume that the i-th variable in x and the 
i-ih variable in x' correspond. We define the representation of a set of states in the next 
variables as follows. 

as) = as)[xix'] 

We call the operation <I'[a;/a;'] "forward shifting" , because it transforms the representation of 
a set of "current" states in the representation of a set of "next" states. The dual operation 
$[a;'/a;] is called backward shifting. In the following, we call x current state variables to 
distinguish them from next state variables. A transition is represented as an assignment 
to re, a and x' . For the BTUC, the transition corresponding to the application of action 
Dunki in state 1 resulting in state 5 is represented by the following Bdd 

^{{l, Dunki, h)) = ^(1) A Dunki A [h) 

The transition relation TZ of the automaton corresponding to a planning domain is 
simply a set of transitions, and is thus represented by a Bdd in the Bdd variables x, a and 
re', where each satisfying assignment represents a possible transition. 

an) = SEQ(a) A v m 

ten 

In the rest of this paper, we assume that the Bdd representation of a planning domain 
is given. In particular, we assume as given the vectors of variables x,x',a, the encoding 
functions ^ and and we simply call S, TZ, I and Q the Bdd representing the states of the 
domain, the transition relation, the initial states and the goal states, respectively. We write 
$(v) to stress that the Bdd $ depends on the variables in v. With this representation, it 
is possible to reason about plans, simulating symbolically the execution of sets of actions in 
sets of states, by means of QBF transformations. The Bdd representing the applicability 
relation can be directly obtained with the following computation. 

AppLiCABLE(a;,0!) = 3x' .7l{x,a,x') 
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The resulting Bdd, ApPLlCABLE(a;, a), represents the set of state-action pairs such that 
the action is apphcable in the state. The Bdd representing the states reachable from Q in 
one step is obtained with the following computation. 

Bx3a.{n{x,a,x')AQ{x))[x' /x] 

Notice that, with this single operation, we symbolically simulate the effect of the application 
of any applicable action in A to any of the states in Q. Similarly, the following transforma- 
tion allows to symbolically compute the SPrelmage of a set of states Q under all possible 
actions in one single computation: 

"ix' .{7l{x,a,x') ^ Q{x)[xlx']) A AppLiCABLE(a;,Q!) 

The resulting Bdd represents all the state-action pairs {x . a) such that a. is applicable in 
X and the execution of a in a; results in states in Q. 

5.3 Symbolic Search in the Space of Belief States 

The main strength of the symbolic approach is that it allows to perform a symbolic breadth- 
first search, and it provides a way for compactly representing and efficiently expanding the 
frontier. For instance, plans can be constructed by symbolic breadth-first search in the 
space of states, repeatedly applying the strong pre-image to the goal states (Cimatti et al., 
1998b). However, the machinery presented in the previous section cannot be directly applied 
to tackle conformant planning. The basic difference is that with conformant planning we are 
searching in the space of belief states^, and therefore the frontier of the search is basically 
a set of sets of states. We introduce a way to symbolically represent BsP tables. Basically, 
this can be seen as a construction on demand, based on the algorithm steps, of increasingly 
large portions of the space of belief states. The key intuition is that a BsP table 

{{{s\,... ,4J . TTl),... . TTk)} 

is represented as a relation between plans (of the same length) and states, by associating 
the plan directly with each state in the belief state indexed by the plan, as follows: 

{{s\ .TTl), ... , (4^ . TTl), . . . , (4 . TTk), ... , (4 . TTk)} (2) 

We use additional variables to represent the plans in the BsP tables. In order to represent 
plans of increasing length, at each step of the algorithm, a vector of new Bdd variables, 
called plan variables, is introduced. The vector of plan variables introduced at the 'i-th step 
of the algorithm is written ttj;], with |7r[;]| = \a\, and is used to encode the i-th to last action 
in the plan^. At step one of the algorithm, we introduce the vector of plan variables jt^i] 
to represent the action corresponding to each 1-length possible conformant plan. The BsP 

3. In principle, the machinery for symbolic search could be used to do conformant planning if applied to 
the determinization of the domain automaton, i.e. an automaton having 2'^ as its state space. However, 
this would require the introduction of an exponential number of state variables, which is impractical 
even for very small domains. 

4. The search being performed backwards, plans need to be reversed once found. 
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table BsPTi at level 1 is built by ExpandBsPTable by performing the following Bdd 
computation starting from the BsP table at level 0, i.e. Q{x): 

i^x' .{7l{x,a,x') ^ Q{x)[xlx']) A AppLiCABLE(a;,a))[a/7r[i]] 

The computation collects those state-action pairs {x . a) such that (the action represented 
by) a is applicable in (the state represented by) a;, and such that all the resulting (states 
represented by) x' are goal states. Then we replace the vector of action variables oi with 
the first vector of plan variables ttjij. The resulting Bdd, BsPT{x,'Ky^), represents a BsP 
table containing plans of length one in the form of a relation between states and plans as 
in (2). In the general case, after step « — 1, the BsP table 5sPTj_i, associating belief states 
to plans of length 2 — 1, is represented by a Bdd in the state variables x and in the plan 
variables 7r[i_i], . . . ,7r[i]. The computation performed by ExpandBsPTable at step i is 
implemented as the following Bdd transformation on DsPTi^i 

{yx' .{Tl{x,a,x') 5sPTj_i(a;,7r[i_i], . . . ,it[i])[x/x']) A AppLiCABLE(a;,Q!))[a/7r[i]](3) 

The next state variables in TZ and in BsPTi^i (resulting from the forward shifting) disappear 
because of the universal quantification. The action variables a are renamed to the newly 
introduced plan variables ttj;], so that in the next step of the algorithm the construction can 
be repeated. 

ExtractSolution extracts the assignments to plan variables such that the correspond- 
ing set contains the initial states. In terms of Bdd transformations, ExtractSolution is 
implemented as follows: 

\ix.{X{x) ^ 5sPT,(rc,7r[;], . . . ,7r[i])) (4) 

The result is a Bdd in the plan variables ttj;], . . . ,7r[i]. If the Bdd is False, then there are 
no solutions of length i. Otherwise, each of the satisfying assignments to the resulting Bdd 
represents a conformant solution to the problem. 

To guarantee the termination of the algorithm, at each step the BsP table returned 
by ExpandBsPTable is simplified by PruneBsPTable by removing all the belief states 
which do not deserve further expansion. This requires the comparison of the belief states 
contained in the BsP table with the belief states contained in each of the BsP tables built at 
previous levels. This is one of the crucial steps in terms of efficiency. An earlier implementa- 
tion of this step with logical Bdd transformations, following directly from the set-theoretical 
definition of PruneBsPTable, was extremely inefficient (Cimatti h Roveri, 1999). Fur- 
thermore, we noticed that the serial encoding could yield BsP tables containing a large 
number of equivalent plans, all indexing exactly the same belief state. Often these equiva- 
lent plans only differ in the order of some independent actions, and this is a potential source 
of combinatorial explosion. This occurs even in the simple version of the BTUC (in Figure 3, 
two equivalent conformant plans are associated with Bsg). Therefore, we developed a new 
implementation which could tackle these two problems by operating directly on the BsP 
table. The idea is depicted in Figure 7. Initially, the cache contains Bsi, Bs2 and Bss. The 
simplification performs a traversal of the Bdd, by accumulating the subtrees representing 
belief states, comparing them with the ones built at previous levels, and inserting the new 
ones in the cache (in Figure 7, Bs4, Bss and Bse). Each time a path is identified which 
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Figure 7: An example of pruning of a BsP table 



represents a plan indexing an already cached belief state, the plan is redundant and the 
corresponding path is pruned^. The cost of the simplification is linear in the size of the BsP 
being simplified and is highly effective in pruning. 



6. CMBP: a BDD-based Conformant Planner 

Cmbp (Conformant Model Based Planner) is a conformant planner implementing the data 
structures and algorithms for conformant planning described in the previous sections. Cmbp 
inherits the features of Mb? (Cimatti et al., 1997, 1998b, 1998a), a planner based on 
symbolic model checking techniques. Mbp is built on top of NuSMV, a symbolic model 
checker jointly developed by ITC-IRST and CMU (Cimatti et al., 2000), and uses the 
CUDD (Somenzi, 1997) state-of-the-art Bdd package. Mbp is a two-stage system. In 
the first stage, an internal BoD-based representation of the domain is built, while in the 
second stage planning problems can be solved. Currently, planning domains are described 
by means of the high-level action language ATZ (Giunchiglia et al., 1997). ATZ allows to 
specify (conditional and uncertain) effects of actions by means of high level assertions. For 
instance. Figure 8 shows the ATZ description of the BTUC problem^. The semantics of 
ATZ yields a serial encoding, i.e. exactly one action is assumed to be executed at each 



5. This pruning mechanism is actually weaker than the earlier one (Cimatti & Roveri, 1999). Here we 
require that the same belief state must not be expanded twice during the search, while in the earlier 
version we prune belief states contained in previously explored ones. This may increase the number of 
explored belief states. However, it allows for a much more efficient implementation, without impacting 
on the properties of the algorithm. 

6. ! and & stand for negation and conjunction, respectively. The description is slightly edited for the sake of 
readability. In particular, Mbp currently does not accept parameterized ATZ descriptions. In practice we 
use a script language to generate ground instances of different complexity from a parameterized problem 
description. 
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DOMAIN BTUC 

ACTIONS Dunk_l, Dunk_2, Flush; 

FLUENTS In_l, In_2, Defused, Clogged : boolean; 
INERTIAL Clogged, Defused, In_l, In_2; 

ALWAYS In_l <-> !In_2; 

Flush CAUSES ! Clogged; 

for i in [1, 2] { 

Dunk_<i> HAS PRECONDITIONS ! Clogged; 
Dunk_<i> CAUSES Defused IF In_<i>; 
Dunk_<i> POSSIBLY CHANGES Clogged; 

} 

INITIALLY ! Defused; 
CONFORMANT Defused & ! Clogged; 



Figure 8: An ATI description for the BTUC problem 

time. The automaton corresponding to an ATI description is obtained by means of the 
minimization procedure by Giunchiglia (1996). This procedure solves the frame problem 
and the ramification problem, and is efficiently implemented in Mbp (Cimatti et al., 1997). 
Because of the separation between the domain construction and the planning phases, Mbp 
is not bound to ATI. Standard deterministic domains specified in Pddl (Ghallab et al., 
1998) can also be given to Mbp by means of a (prototype) compiler. We are also starting 
to investigate the potential use of the C action language (Giunchiglia &; Lifschitz, 1998), 
which allows to represent domains with parallel actions. 

Different planning algorithms can be applied to the specified planning problems. They 
operate solely on the automaton representation, and are completely independent of the 
particular language used to specify the domain. Mbp allows for automatic construction of 
conditional plans under total observability, by implementing the algorithms for strong plan- 
ning (Cimatti et al., 1998b), and for strong cyclic plannig (Cimatti et al., 1998a; Daniele, 
Traverso, &; Vardi, 1999). In Cmbp, we implemented the ideas described in the previous 
sections. The primitives to construct and prune BsP tables required a lot of tuning, in 
particular with the ordering of Bdd variables. We found a general ordering strategy which 
works reasonably well: action variables are positioned at the top of the ordering, followed by 
plan variables, followed by state variables, with current state and next state variables inter- 
leaved. The specific ordering within action variables, plan variables, and state variables is 
determined by the standard mechanism implemented in NuSMV. Cmbp implements several 
algorithms for conformant planning. In addition to the backward algorithm presented in 
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Section 4, Cmbp implements an algorithm based on forward search, which allows to exploit 
the initial knowledge of the problem, sometimes resulting in significant speed ups (Cimatti 
h Roveri, 2000). Backward and forward search can also be combined, to tackle the ex- 
ponential growth of the search time with the depth of search. For all these algorithms, 
different options enable and disable different versions of the termination check. 

7. Experimental Evaluation 

In this section we present an experimental evaluation of our approach, which was carried 
out by comparing Cmbp with state-of-the-art conformant planners. We first describe the 
other conformant planners considered in the analysis, and then we present the experimental 
comparison that was carried out. 

7.1 Other Conformant Planners 

Cop (Smith & Weld, 1998) extends the ideas of Graphplan (Blum & Furst, 1995, 1997) to 
deal with uncertainty. Basically, a planning graph is built of every possible sequence of pos- 
sible worlds, and constraints among planning graphs are propagated to ensure conformance. 
The Cgp system takes as input domains described in an extension of Pddl (Ghallab et al., 
1998), where it is possible to specify uncertainty in the initial state. Ccp inherits from 
Graphplan the ability to deal with parallel actions. Cgp was the first efficient confor- 
mant planner: it was shown to outperform several other planners such as Buridan (Peot, 
1998) and UDTPOP (Kushmerick, Hanks, k Weld, 1995). The detailed comparison re- 
ported by Smith and Weld (1998) leaves no doubt on the superiority of Cgp with respect 
to these systems. Therefore, we compared Cmbp with Cgp and did not consider the other 
systems analyzed by Smith and Weld (1998). Cmbp is more expressive than Cgp in two 
respects. First, Cgp can only handle uncertainty in the initial state. For instance, Cgp 
cannot analyze the BTUC domain presented in Section 3. Smith and Weld (1998) describe 
how the approach can be extended to actions with uncertain effects. Second, Cgp cannot 
conclude that a planning problem has no conformant solutions. 

Qbfplan is (our name for) the planning system by Rintanen (1999a). Qbfplan general- 
izes the idea of SAT-based planning (Kautz, McAUester, &: Selman, 1996; Kautz & Selman, 
1996, 1998) to nondeterministic domains, by encoding problems in QBF. The Qbfplan 
approach is not limited to conformant planning, but can be used to do conditional planning 
under uncertainty, also under partial observability: different encodings, corresponding to 
different structures in the resulting plan, can be synthesized. In this paper, we are only 
considering encodings which enforce the resulting plan to be a sequence. Given a bound on 
the length of the plan, first a QBF encoding of the problem is generated, and then a QBF 
solver (Rintanen, 1999b) is called. If no solution is found, a new encoding for a longer plan 
must be generated and solved. Qbfplan is able to handle actions with uncertain effects. 
This is done by introducing auxiliary (choice) variables, the assignments to which the dif- 
ferent possible outcomes of actions correspond. These variables are universally quantified 
to ensure conformance of the solution. Differently from e.g. Blackbox (Kautz & Selman, 
1998), Qbfplan does not have a heuristic to guess the "right" length of the plan. Given 
a limit in the length of the plan, it generates all the encodings up to the specified length, 
and repeatedly calls the QBF solver on encodings of increasing length until a plan is found. 
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As Cgp, Qbfplan cannot conclude that a planning problem has no conformant solutions. 
Similarly to Cmbp, QbfplaN relies on a symbolic representation of the problem, although 
QBF transformations are performed by a theorem prover rather than with Bdds. 

Gpt (Bonet Sz Geffner, 2000) is a general planning framework, where the conformant 
planning problem is seen as deterministic search problem in the space of belief states. Gpt 
uses an explicit representation of the search space, where each belief state is represented 
as a separate data structure. The search is based on the A* algorithm (Nilsson, 1980), 
driven by domain dependent heuristics which are automatically generated from the problem 
description. Gpt accepts problem descriptions in a syntax based on Pddl, extended to deal 
with probabilities and uncertainty. It is possible to represent domains with uncertain action 
effects (although the representation of actions resulting in a large number of different states 
is rather awkward). As for the planning algorithm, Gpt is able to conclude that a given 
planning problem has no conformant solution by exhaustively exploring the space of belief 
states. 

7.2 Experiments and Results 

The evaluation was performed by running the systems on a number of parameterized prob- 
lem domains. We considered all the problems from the Cgp and Gpt distributions, plus 
other problems which were defined to test specific features of the planners. We considered 
domains with uncertainty limited to the initial state, and domains with uncertain action 
effects. Besides problems admitting a solution, we also considered problems not admitting 
a solution, in which case we measured the effectiveness of the plannner in returning with 
failure. 

Given their different expressivity, it was not possible to run all the systems on all the 
examples. Cmbp was run on all the classes of examples, while Gpt was run on all but one. 
Cgp was run only on the problems which admit a solution, and with uncertainty limited 
to the initial condition. Qbfplan was run on all the examples for which an encoding was 
already available from the Qbfplan distribution. This is only a subset of the problems 
expressible in Cgp. The main limiting factor was the low level of the input format of 
Qbfplan: problem descriptions must be specified as ML code which generates the QBF 
encodings. Writing new encodings turned out to be a very difficult task, especially due to 
the lack of documentation. 

We ran Cgp, Qbfplan and Cmbp on an Intel 300MHz Pentium-II, 512MB RAM, 
running Linux. The comparison between Cmbp and Gpt was run on a Sun Ultra Sparc 
270MHz, 128Mb RAM running Solaris (Gpt was available as a binary). However, the 
performance of the two machines is comparable — the run times for Cmbp were almost 
identical. CPU time was limited to 7200 sec (two hours) for each test. To avoid swapping, 
the memory limit was fixed to the physical memory of the machine. In the following, we 
write " — " or for a test that did not complete within the above time and memory 

limits, respectively. The performance of the systems are reported in tables listing only the 
search time. This excludes the time needed by Qbfplan to generate the encodings, the 
time spent by Cmbp to construct the automaton representation into Bdd, and the time 
needed by Gpt to generate the source code of its internal representation, and to compile 
it. Overall, the most significant time ignored is the automaton construction of Cmbp. 
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Currently, the automaton construction is not fully optimized. Even in the most complex 
examples, however, the construction never required more than a couple of minutes^. 

7.2.1 Bomb in the Toilet 

Bomb in the Toilet. The first domain we tackled is the classical bomb in the toilet, 
where there is no notion of clogging. We call the problem BT(p), where the parameter p 
is the number of packages. The only uncertainty is in the initial condition, where it is not 
known which package contains the bomb. The goal is to defuse the bomb. The results for 
the BT problem are shown in Table 1. The columns relative to Cmbp are the length of the 
plan (|P|), the number of cached belief states and the number of hits in the cache (#BS and 
#NBS respectively), the time (expressed in seconds) needed for searching the automaton 
under Pentium/Linux (Time(L)) and under Sparc/Solaris (Time(S)). In the following, when 
clear from the context, the execution platform is omitted. The columns relative to Cgp are 
the number of levels in the planning graphs (|L|) and the search time. The column relative 
to Gpt is the search time. 





Cmdp 


Cgp 


Gpt 




|P| 


#BS/#BSH 


Time(L) 


Time(S) 


|L| 


Time 


Time 


BT(2) 


2 


2/2 


0.000 


0.000 


1 


0.000 


0.074 


BT(3) 


3 


C / 11 


0.000 


0.000 


1 


0.000 


0.077 


BT(4) 


4 


14 / 36 


0.000 


0.000 


1 


0.000 


0.080 


BT(5) 


5 


30 / 103 


0.000 


0.000 


1 


0.000 


0.087 


BT(6) 


6 


62 / 266 


0.010 


0.010 


1 


0.010 


0.102 


BT(7) 


7 


126 / 641 


0.010 


0.030 


1 


0.010 


0.139 


BT(8) 


8 


254 / 1496 


0.030 


0.030 


1 


0.020 


0.230 


BT(9) 


9 


510 / 3463 


0.070 


0.070 


1 


0.020 


0.481 


BT(IO) 


10 


1022 / 7862 


0.150 


0.140 


1 


0.020 


1.018 



Table 1: Results for the BT problems. 

The BT problem is intrinsically parallel, i.e. the depth of the planning graph is always 
one, because all the packages can be dunked at the same time. Cgp inherits from Graph- 
PLAN the ability to deal with parallel actions efficiently, and therefore it is almost insensitive 
to the problem size. For this problem Cgp outperforms both Cmbp and Gpt. Notice that 
the number of levels explored by Cgp is always 1, while the length of the plan produced by 
Cmbp and Cgp grows linearly. Cmbp performs slightly better than Gpt. 

Bomb in the Toilet with Clogging. We call BTC(p) the extension of the BT(p) where 
dunking a package (always) clogs the toilet, flushing can remove the clogging, and no clog- 
ging is a precondition for dunking a package. Again, p is the number of packages. The toilet 
is initially not clogged. With this modification, the problem no longer allows for a parallel 
solution. The results for this problem are listed in Table 2. The impact of the depth of 
the plan length becomes significant for all systems. Both Cmbp and Gpt outperform Cgp. 
In this case Cmbp performs better than Gpt, especially on large instances (see BTC(16)). 

7. More precisely, the maximum time in building the automaton was required for the BMTC(10,6) examples 
(88 sees.), the RING(IO) example (77 sees.), the BMTC(9,6) examples (40 sees.), and the BMTC(10,5) 
examples (41 sees.). For most of the other examples, the time required for the automaton construction 
was less than 10 seconds. 
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Cmbp 


Cop 


Gpt 




IP 


#BS/#BSH 


Time(L) 


Time(S) 


|L 


Time 


Time 


BTC(2) 


3 


6 / 8 


0.000 


0.010 


3 


0.000 


0.07-1 


BTC'(3) 


5 


1 1 / 23 


0.000 


0.000 


5 


0.010 


0.077 


BTC(4) 


7 


30 / 61 


0.010 


0.010 


7 


0.030 


0.082 


BTC(5) 


9 


62 / 150 


0.020 


0.020 


9 


0.130 


0.094 


BTC(6) 


11 


126 / 347 


0.020 


0.020 


11 


0.860 


0.113 


BTC(7) 


13 


254 / 796 


0.070 


0.080 


13 


2.980 


0.166 


BTC(8) 


15 


510 / 1844 


0.150 


0.160 


15 


13.690 


0.288 


BTC(9) 


17 


1022 / 4149 


0.320 


0.330 


17 


41.010 


0.607 


BTC(IO) 


19 


2046 / 9190 


0.710 


0.700 


19 


157.590 


1.309 



I BTC(16) II 31 I 131070 / 921355 I 99.200 | 99.800 | 



351.457 



Qbfplan 


BTC(6) 


BTC(IO) 


|P 


Time 


|P 


Time 


1 


0.00 


1 


0.02 


2 


0.01 


2 


0.03 


3 


0.26 


3 


0.78 


4 


0.63 


4 


2.30 


5 


1.53 


5 


4.87 


6 


2.82 


6 


8.90 


7 


6.80 


7 


22.61 


8 


14.06 


8 


52.72 


9 


35.59 


9 


156.12 


10 


93.34 


10 


410.86 


11 


(+) 2.48 


11 


1280.88 






13 


3924.96 






14 
















18 








19 


(+) 16.84 



Table 2: Results for the BTC problems. 



The comparison with Qbfplan is limited to the 6 and 10 package instances (the ones avail- 
able from the distribution package). The performance of Qbfplan is reported in the left 
table in Table 2. Each line reports the time needed to decide whether there is a plan of 
length i. The performance of Qbfplan is rather good when tackling an encoding admit- 
ting a solution (in Table 2 these entries are labeled by (+)). For instance, in the BTC(IO) 
Qbfplan finds the solution solving the encodings at depth 19 reasonably fast. However, 
when a solution cannot be found, i.e. the QBF formula admits no model, the performance 
of Qbfplan degrades significantly (for the depth 18 encoding, we let the solver run for 10 
CPU hours and it did not complete the search). Because of the difference in performance, 
and the difficulty in writing new domains, in the rest of the comparison we will not consider 
Qbfplan. 

Bomb in Multiple Toilets. The next domain, called BMTC(p,i), is the generalization 
of the BTC problem to the case of multiple toilets [p is the number of packages, while t 
is the number of toilets). The problem becomes more parallelizable when the number of 
toilets increases. Furthermore, we considered three versions of the problem with increasing 
uncertainty in the initial states. In the first class of tests ("Low Uncertainty" columns), the 
only uncertainty is the position of the bomb which is unknown, while toilets are known to 
be not clogged. The "Mid Uncertainty" and "High Uncertainty" columns show the results 
in presence of more uncertainty in the initial state. In the second [third, respectively] class 
of tests, the status of every odd [every, resp.] toilet can be either clogged or not clogged. 
This increases the number of possible initial states. 

The results are reported in Table 3 (for the comparison with Ccp) and in Table 4 
(for the comparison with Gpt). The IS column represents the number of initial states of 
the corresponding problem. Cgp is able to fully exploit the parallelism of the problem. 
However, Cgp is never able to explore more than 9 levels in the planning graph, with depth 
decreasing with the number of initial states. The results also show that Cmbp and Gpt 
are much less sensitive to the number of initial states than Cgp. With increasing initial 
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Low Uncertaintv 


Mid Uncertainty 


Higli Uncertainty 


BMTC 
(P,t) 




Cmbp 


Cgp 




Cmbp 


Cgp 




C^IBP 


Cgp 


IS 


P 


#BS/#BSII 


Time 




Time 


IS 


#BS/#BSn 


Time 


|L| 


Time 


IS 


#BS/#BSH 


Time 




Time 




2 


2 


10 / 18 


0.000 


1 


0.000 


4 


12 / 34 


0.000 


2 


0.010 


8 


12 / 40 


0.000 


2 


0.030 


('^ 2) 


3 


4 


26 / 84 


0.000 


3 


0.020 


6 


28 / 106 


0.000 


3 


0.040 


12 


28 / 112 


0.010 


4 


13.660 


(4 2) 


4 


6 


58 / 250 


0.020 


3 


0.030 


8 


60 / 286 


0.020 


4 


0.460 


16 


60 / 294 


0.010 


4 


145.830 


(5,2) 


5 


8 


122 / 652 


0.030 


5 


1.390 


10 


124 / 702 


0.030 


6 


13,180 


20 


124 / 710 


0.040 


4 


— 


(6,2) 


6 


10 


260 / 1662 


0.070 


6 


3.490 


12 


252 / 1614 


0.080 


6 


— 


24 


252 / 1622 


0.080 






(7,2) 


7 


12 


606 / 3586 


0.180 


7 


608.510 


14 


508 / 3662 


0.190 






28 


508 / 3670 


0.190 






(8,2) 


8 


14 


1018 / 8262 


0.400 


7 


918.960 


16 


1020 / 8362 


0.430 






32 


1020 / 8372 


0.450 






■ 


9 


16 


2042 / 18484 


0.940 


7 


— 


18 


2044 / 18602 


0.960 






36 


2044 / 18612 


0.950 






(10.21 


10 


18 


4090 / 40676 


1 .820 






20 


4092 / 40810 


1 .990 






40 


4092 / 40820 


2.030 






(2 '\) 


2 


2 


18 / 42 


0.000 


i 


0.010 


8 


24 / 99 


0.000 


2 


0.090 


16 


24 / 126 


0.010 


2 


0.170 




3 


3 


47 / 202 


0.010 


1 


0.010 


12 


56 / 349 


0.020 


2 


0.200 


24 


56 / 373 


0.020 


2 


0.690 


(4 'X) 


4 


5 


110 / 736 


0.030 


3 


0.110 


16 


120 / 942 


0.040 


3 


0.990 


32 


120 / 972 


0.040 


3 


— 


. ■ 


5 


7 


237 / 2034 


0.080 


3 


0.170 


20 


248 / 2335 


0.110 


3 


— 


40 


248 / 2371 


0.120 






■■ ■■ 


6 


9 


492 / 5106 


0.230 


3 


0.340 


24 


504 / 5520 


0.250 






48 


504 / 5562 


0.240 






(-.3) 


- 


11 


1003 / 12128 


0.560 


5 


6248.010 


28 


101 / 12673 


0.590 






56 


1016 / 12721 


0.640 






■ ■ ■ 




13 


2026 / 27836 


1 .300 


4 


— 


32 


204 / 28530 


1 .350 






64 


2040 / 28584 


1 .330 








9 


15 


4073 / 62470 


3.330 






36 


408 / 63331 


3.370 






72 


4088 / 63391 


3.390 






■ ■■ ■■ 


10 


17 


8168 / 138046 


7.280 






40 


818 / 139092 


7.460 






80 


8184 / 139158 


7.430 








2 


2 


29 / 76 


0.010 


1 


0.000 


8 


29 / 75 


0.000 


1 


0.020 


32 


48 / 332 


0.020 


2 


1.610 


(3 4) 


3 


3 


92 / 492 


0.020 


1 


0.010 


12 


108 / 808 


0.030 


2 


0.290 


48 


112 / 960 


0.040 


2 


8.690 




4 


4 


206 / 1686 


0.060 


1 


0.010 


16 


236 / 2366 


0.080 


2 


0.730 


64 


240 / 2532 


0.090 


2 


32.190 


(5,4) 


5 


6 


457 / 4987 


0.190 


3 


0.500 


20 


492 / 5888 


0.230 


2 


— 


80 


496 / 6092 


0.240 


3 


— 


(6,4) 


6 


8 


964 / 12456 


0.410 


3 


1.160 


24 


1004 / 13648 


0.470 






96 


1008 / 13876 


0.470 






(7,4) 


7 


10 


1983 / 29463 


1.040 


3 


2.410 


28 


2028 / 31004 


1.120 






112 


2032 / 31260 


1.160 






(8,4) 


8 


12 


4026 / 68466 


2.740 


3 


8.640 


32 


4076 / 70684 


2.870 






128 


4080 / 70912 


2.910 






(9,4) 


9 


14 


8117 / 163896 


6.690 


4 


— 


36 


8172 / 16664 


6.900 






144 


8176 / 156904 


6.970 






(10,4) 


10 


16 


16304 / 339160 


14.420 






40 


16364 / 34234 


14.630 






160 


16368 / 342736 


14.770 






(2 5^ 


2 


2 


43 / 117 


0.010 


1 


0.010 


16 


43 / 117 


0.010 


1 


0.130 


64 


93 / 761 


0.030 


2 


21.120 


(3 5'i 


3 


3 


164 / 1031 


0.040 


1 


0.020 


24 


212 / 2008 


0.080 


2 


3.540 


96 


224 / 2691 


0.120 


2 


138.430 


(4 ^^ 


4 


4 


416 / 4304 


0.160 


1 


0.020 


32 


476 / 6376 


0.260 


2 


6.320 


128 


480 / 6740 


0.260 


2 


661.210 


(6,6) 


5 


5 


872 / 11763 


0.490 


1 


0.060 


40 


987 / 15928 


0.700 


2 


37,969 


160 


992 / 16393 


0.730 


2 


1623.840 


(6,6) 


6 


7 


1876 / 31695 


1.300 


3 


6.920 


48 


2011 / 37759 


1.890 


2 




192 


2016 / 38334 


1.980 


2 




(7,5) 


7 


9 


3901 / 78009 


3.990 


3 


18.410 


56 


4059 / 86716 


4.480 






224 


4064 / 8741 1 


4.540 






(8.5) 




11 


7974 / 183036 


9.670 




62.040 


64 


8155 / 195055 


10.590 








8160 / 195880 


10.640 






(y.5) 




13 


16142 / 416333 


24.250 




194.640 




16347 / 432408 


25.600 






288 


16352 / 433373 


25.370 






(10,5) 


10 


15 


32501 / 927329 


54.910 


3 


289,680 


80 


32731 / 948279 


56.420 






320 


32736 / 949394 


56.290 






(2,6) 


2 


2 


60 / 168 


0.010 


1 


0.010 


16 


60 / 168 


0.010 


1 


0.200 


128 


171 / 1533 


0.040 


2 


337.604 


(3,6) 


3 


3 


270 / 1848 


0.070 


1 


0.010 


24 


270 / 1848 


0.070 


1 


0.830 


192 


448 / 6248 


0.310 


2 


1469.110 


(4,6) 


4 


4 


786 / 9294 


0.300 


1 


0.040 


32 


920 / 13810 


0.600 


2 


30.630 


266 


960 / 16344 


0.690 


2 


6643.460 


(6,6) 


6 


6 


1777 / 29076 


1.160 


1 


0.060 


40 


1968 / 37636 


1.940 


2 


30.140 


320 


1984 / 39710 


2.120 


2 




(6,6) 


6 


6 


3613 / 71123 


3.290 


1 


0.100 


48 


4005 / 90111 


4.080 


2 


57.300 


384 


4032 / 92772 


4.600 






(7,6) 


7 


8 


7625 / 180127 


9.060 


3 


211.720 


56 


8100 / 208050 


10.130 


2 




448 


8128 / 211370 


10.400 






(8,6) 


8 


10 


16726 / 429198 


20.710 


3 


1015.160 


64 


16291 / 469277 


22.620 






512 


16320 / 473328 


23.000 






(9,6) 


9 


12 


32012 / 986188 


50.610 


3 


3051.990 


72 


32674 / 1.04173e+06 


63.510 






576 


32704 / 1.04658e+06 


64.010 






■ 


10 


14 


64675 / 2.21106e+06 


111.830 


2 




80 


66441 / 2.28686e+06 


116.440 






640 


66472 / 2.29168e+06 


116.240 







Table 3: 
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Low Unc. 


High Unc. 


BMTC 

(P,t) 


Cmbp 


Gpt 


Cmbp 


Gpt 


Time 


Time 


Time 


Time 


(2,2) 


0.000 


0.079 


0.010 


0.079 


(3,2) 


0.010 


0.087 


0.010 


0.091 


(4,2) 


0.000 


0.105 


0.020 


0.121 


(5,2) 


0.040 


0.146 


0.040 


0.198 


(6,2) 


0.080 


0.227 


0.070 


0.376 


(7,2) 


0.190 


0.441 


0.200 


0.850 


(8,2) 


0.390 


0.922 


0.400 


1.966 


(9,2) 


0.910 


2.211 


0.950 


4.743 


(10,2) 


1.850 


5.169 


1.900 


10.620 


(2,4) 


0.000 


0.109 


0.010 


0.121 


(3,4) 


0.010 


0.156 


0.040 


0.284 


(1.1) 


0.050 


0.270 


0.100 


I.OIC 


(5, 1) 


0.180 


O.CIC 


0.210 


3.282 


(6,4) 


0.370 


1.435 


0.460 


9.374 


(7,4) 


1.080 


3.484 


1.190 


27.348 


(8,4) 


2.700 


8.767 


2.830 


72.344 


(9,4) 


8.970 


23.858 


6.920 


180.039 


(10,4) 


14.210 


59.966 


114.690 


440.308 


(2,6) 


0.010 


0.303 


0.060 


0.482 


(3,6) 


0.050 


0.562 


0.260 


2.471 


(4,6) 


0.310 


1.354 


0.620 


17.406 


(5,6) 


1.110 


3.257 


2.060 


74.623 


(6,6) 


3.400 


8.691 


4.660 


243.113 


(7,6) 


8.910 


25.677 


10.430 


701.431 


(8,6) 


21.240 


68.427 


23.860 




(9,6) 


49.880 


289.000 


54.190 




(10,6) 


113.680 


486.969 


118.590 





Table 4: Results for the BMTC problems. 

uncertainty, Ccp is almost unable to solve what were trivial problems. Gpt performs better 
than Cop, but it suffers from the explicit representation of the search space. 

Bomb in the Toilet with Uncertain Clogging. The BTUC(j;) domain is the domain 
described in Section 2, where clogging is an uncertain outcome of dunking a package. This 
kind of problem cannot be expressed in Cgp. The results for Cmbp and Gpt are reported 
in Table 5. Although Cmbp performs better than Gpt (by a factor of two to three), there 
is no significant difference in the behavior. It is interesting to compare the results of Cmbp 
for the ETC and BTUC problems. For Gpt a slight difference is noticeable, resulting from 
the increased branching factor in the search space due to the uncertainties in the effects of 
action executions. In the performance of Cmbp, the number of uncertainties is not a direct 
factor — for example, in the BTC(16) and BTUC(16), the performance is almost the same. 



7.2.2 Ring of Rooms 

Simple Ring of Room. We considered another domain, where a robot can move in a 
ring of rooms. Each room has a window, which can be either open, closed or locked. The 
robot can move (either clockwise or counterclockwise), close the window of the room where 
it is, and lock it if closed. The goal is to have all windows locked. 
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Cmdp 


Gpt 




|P| 


#BS/#BSH 


Time 


Time 


BTUC(2) 


3 


6/8 


0.000 


0.076 


BTUC(3) 


5 


14 / 23 


0.000 


0.078 


BTUC(4) 


7 


30 / 61 


0.010 


0.085 


BTUC(5) 


9 


62 / 150 


0.010 


0.098 


BTUC(6) 


11 


126 / 347 


0.030 


0.128 


BTUC(7) 


13 


254 / 796 


0.050 


0.205 


BTUC(8) 


15 


510 / 1844 


0.170 


0.380 


BTUC(9) 


17 


1022 / 4149 


0.310 


0.812 


BTUC(IO) 


19 


2046 / 9190 


0.720 


1.828 



BTUC(16) II 31 I 131070 / 921355 | 98.270 || 486.252" 



Table 5: Results for the BTUC problems. 



N-1 


1 1 

N , I , . 












1 1 





In the problem RING(r), where r is the number of rooms, the uncertainty is only in the 
initial condition: both the position of the robot and the status of the windows can be 
uncertain. These problems do not have a parallel solution, and have a large number of initial 
states (r * 3''), corresponding to full uncertainty on the position of the robot and on the 
status of each window. The results^ are reported on the left in Table 6. Cmbp outperforms 





Cmbp 


Cgp 


Gpt 




|P| 


#BS/#BSH 


Time 


|L| 


Time 


Time 


RING(2) 


5 


8/24 


0.000 


3 


0.070 


0.085 


RING(3) 


8 


26 / 78 


0.020 


4 




0.087 


RING(4) 


11 


80 / 240 


0.040 






0.392 


RING(5) 


14 


242 / 726 


0.120 






1.150 


RING(6) 


17 


728 / 2184 


0.370 






6.620 


RING(7) 


20 


2186 / 6558 


1.420 






23.636 


RING(8) 


23 


6560 / 19680 


4.950 






105.158 


RING(9) 


26 


19682 / 59046 


27.330 








RING(IO) 


29 


59048 / 177144 


106.870 









Cgp on RING(5) 


IS 


|L| 


Time 


|L| 


Time 


1 


5 


0.010 


9 


0.020 


2 


5 


0.060 


9 


0.140 


4 


5 


0.420 


9 


1.950 


8 


5 


6.150 


9 


359.680 


16 


5 




9 





Table 6: The results for the RING problems. 

both Cgp and Gpt, although Gpt performs much better than Cgp. Both Cgp and Gpt 
suffer from the increasing complexity of the problem. On the right in Table 6, we plot (for 
the RING (5) problem) the dependency of Cgp on the number of initial states combined 
with the number of levels to be explored (different goals were provided which require the 
exploration of different levels). It is clear that the number of initial states and the depth of 
the search are both critical factors for Cgp. 

8. The times reported for Cgp refer to a scaled-down version of the problem, where locking is not taken 
into account, and thus the maximum number of initial states is r * 2''. 
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Ring of Rooms with Uncertain Action Effects. We considered a variation of the 
RING domain, called URING, first introduced by Cimatti and Roveri (1999), which is not 
expressible in Cgp. If a window is not locked and the robot is not performing an action 
which will determine its status (e.g. closing it), then the window can open or close nondeter- 
ministically. For instance, while the robot is moving from room 1 to room 2, the windows in 
room 3 and 4 could be open or closed by the wind. This domain is clearly designed to stress 
the ability of a planner to deal with actions having a large number of resulting states. In the 
worst case (e.g. a move action performed when no window is locked), there are 2^ possible 
resulting states. Although seemingly artificial, this captures the fact that environments can 
be in practice highly nondeterministic. We tried to compare Cmbp and QPT on the URING 
problem. In principle Gpt is able to deal with uncertainty in the action effects. However, 
we failed to codify the URING in the Gpt language, because it requires a conditional de- 
scription of uncertain effects. Therefore, we experimented with a variation of the RING 
domain featuring a higher degree of nondeterminism, called NDRING in the following. The 
NDRING domain contains an increasing number of additional propositions, called in the 
following nonmeriia/ propositions, which are initially unknown and are nondeterministically 
altered by each action. If i is the number of noninertial propositions, each action has 2* 





Cmbp 


Gpt 




|P| 


#BS/#BSH 


Time (5) 


Time (2) 


Time (3) 


Time (4) 


Time (5) 


NDRING(2) 


5 


8/24 


0.000 


0.140 


0.384 


0.948 


4.544 


NDRING(3) 


8 


26 / 78 


0.020 


0.256 


0.679 


2.574 


13.960 


NDRING(4) 


11 


80 / 240 


0.040 


1.046 


3.025 


12.548 


67.714 


NDRING(5) 


14 


242 / 726 


0.110 


4.550 


12.960 


48.426 




NDRING(6) 


17 


728 / 2184 


0.350 


18.758 


57.300 






NDRING(7) 


20 


2186 / 6558 


1.350 


108.854 








NDRING(8) 


23 


6560 / 19680 


4.990 










NDRING(9) 


26 


19682 / 59046 


27.060 










NDRING(IO) 


29 


59048 / 177144 


103.760 











Table 7: The results for the NDRING problems. 

possible outcomes. The results are listed in Table 7, with columns labeled with Time(i). 
The growing branching factor during the search has a major impact on the performance of 
Gpt, while Cmbp is insensitive to this kind of uncertainty. (The performance of Cmbp for 
a lower number of noninertial propositions are not reported because they are basically the 
same.) 

The URING problem was run only on Cmbp. The results are listed in Table 8. It can 
be noticed that the performances of Cmbp improve significantly with respect to the RING 
problem. This can be explained considering that, despite the larger number of transitions, 
the number of explored belief states is significantly smaller (see the Bs cache statistics in 
Tables 6 and 8). 

7.2.3 Square and Cube 

The following domains are the SQUARE(ri) and CUBE(n) from the Gpt distribution (Bonet 
&; Geffner, 2000). These problems consist of a robot navigating in a square or cube of side 
n. In both domains there are actions for moving the robot in all the possible directions. 
Moving the robot against a boundary leaves the robot in the same position. The original 
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Cmbp 




|P 


#BS/#BSH 


Time 


URING(2) 


5 


5/16 


0.000 


URING(3) 


8 


11 / 34 


0.010 


URING(4) 


11 


23 / 70 


0.020 


URING(5) 


14 


47 / 142 


0.040 


URING(6) 


17 


95 / 286 


0.080 


URING(7) 


20 


191 / 574 


0.190 


URING(8) 


23 


383 / 1150 


0.410 


URING(9) 


26 


767 / 2302 


0.980 


URING(IO) 


29 


1535 / 4606 


2.2300 



Table 8: Results for the URING problems. 

problems, called CORNER in the following, require the robot to reach a corner, starting 
from a completely unspecified position. We introduced two variations. In the first, called 
FACE, the initial position is any position of a given side [face] of the square [cube], while 
the goal is to reach the central position of the opposite side [face]. In the second, called 
CENTER, the initial position is completely unspecified, and the goal is the center of the 
square [cube]. For the corner problem, a simple heuristic is to perform only steps towards 
the corner, thus pruning half of the actions. The variations are designed not to allow for a 
simple heuristic — for instance, in the CENTER problem, no action can be eliminated. 





CORNBR 


FACB 


CBNTBR 


SQUARB(i) 


Cmbp 


Gpt 


Cmbp 


Gpt 


Cmbp 


Gpt 


P 


#BS/#BSH 


Time 


Time 


P 


#BS/#BSH 


Time 


Time 


|P| 


#BS/#BSH 


Time 


Time 


SQUARB(2) 


2 


2/4 


0.000 


0.074 


2 


2/4 


0.000 


0.038 


2 


2 / 4 


0.000 


0.060 


SQUARB(4) 


6 


16 / 37 


0.000 


0.080 


7 


33 / 83 


0.000 


0.066 


8 


76 / 190 


0.010 


0.083 


SQUARB(6) 


10 


36 / 93 


0.000 


0.092 


12 


86 / 232 


0.020 


0.089 


14 


218 / 692 


0.040 


0.216 


sqt.:ar,e(8) 


14 


63 / 173 


0.020 


0.115 


17 


163 / 453 


0.040 


0.139 


20 


432 / 1210 


0.090 


0.695 


SQUAREf 101 


18 




0.030 


0. 149 




264 / 746 


0.090 


0.228 




718 / 2044 


0. 190 


2.135 


SQTIAREfl2) 




113 / 105 


0.050 


0.196 




389 / nil 


0.150 


0.371 




1076 / 3094 


0.360 


5.310 


SQUARE(14) 


26 


195 / 557 


0.070 


0.261 


32 


538 / 1548 


0.230 


0.582 


38 


1506 / 4360 


0.560 


12.284 


SQUARE(16) 


30 


255 / 733 


0.080 


0.357 


37 


711 / 2057 


0.320 


0.908 


44 


2008 / 6842 


0.820 


26.241 


SQUARB(18) 


34 


323 / 933 


0.120 


0.603 


42 


908 / 2638 


0.640 


1.343 


60 


2682 / 7640 


1.330 


62.091 


SQUARB(20) 


38 


399 / 1157 


0.160 


0.638 


47 


1129 / 3291 


0.660 


1.883 


66 


3228 / 9464 


1.790 


94.204 





CORNBR 


FACB 


CBNTBR 


CUBB(t) 


Cmbp 


Gpt 


Cmbp 


c;pT 


Cmbp 


Gpt 


P 


#BS/#BSH 


Time 


Time 


P 


#BS/#BSH 


Time 


Time 


P 


#BS/#BSH 


Time 


Time 


CUBE(2) 


3 


6/19 


0.000 


0.332 


3 


6/19 


0.000 


0.061 


3 


6/19 


0.010 


0.061 


CUBB(3) 


6 


26 / 99 


0.010 


0.168 


6 


26 / 99 


0.000 


0.069 


6 


26 / 99 


0.010 


0.144 


CUBB(4) 


9 


63 / 261 


0.020 


0.430 


11 


319 / 1360 


0.060 


0.193 


12 


722 / 3091 


0.130 


0.369 


CUBB(6) 


12 


124 / 637 


0.040 


0.276 


14 


709 / 3096 


0.220 


0.412 


13 


1696 / 7402 


0.430 


2.010 


CUBE(6) 


15 


215 / 937 


0.060 


0.500 


19 


1343 / 6116 


0.430 


1.479 


21 


3365 / 13432 


0.910 


10.717 


CUBE(7) 


18 


342 / 1551 


0.100 


0.367 


22 


2266 / 10377 


0.840 


3.323 


24 


5797 / 26814 


1.860 


34.074 


CUBB(8) 


21 


511 / 2349 


0.160 


1.082 


27 


3619 / 16464 


1.400 


8.161 


30 


9248 / 43341 


3.620 


109.832 


CUBB(9) 


24 


728 / 3381 


0.330 


1.765 


30 


3169 / 24331 


2.810 


16.272 


33 


13786 / 63237 


7.260 


701.910 


CUBB(IO) 


27 


999 / 4677 


0.440 


2.068 


33 


7279 / 34364 


4.660 


32.226 


39 


19667 / 93898 


9.990 




CUBB(16) 


42 


3374 / 16167 


1.940 


9.207 


64 


26439 / 127826 


28.660 




60 


74041 / 369364 


68.930 





Table 9: Results for the SQUARE and CUBE problems. 

The results for these problems are reported in Table 9. The tests were run only with 
Cmbp and Gpt. The experiments highlight that the efficiency of Gpt strongly depends on 
the quality of the heuristic function. If, as in the first set of experiments, the heuristics are 
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effective, tfien Gpt is almost as good as Cmbp. Otfierwise, Gpt degrades significantly. In 
general, finding heuristics which are effective in the belief space appears to be a nontrivial 
problem. Cmbp appears to be more stable^, as it performs a blind, breadth-first search, 
and relies on the cleverness of the symbolic representation to achieve efficiency. 

7.2.4 Omelette 

Finally, we considered the OMELETTE(i) problem (Levesque, 1996). The goal is to have i 
good eggs and no bad ones in one of two bowls of capacity i. There is an unlimited number of 
eggs, each of which can be unpredictably good or bad. The eggs can be grabbed and broken 
into a bowl. The content of a bowl can be discarded, or poured to the other bowl. Breaking 
a rotten egg in a bowl has the effect of spoiling the bowl. A bowl can always be cleaned 
by discarding its content. The problem is originally presented as a partial observability 
problem, with a sensing action allowing to test if a bowl is spoiled or not. We considered 
the variation of the problem without sensing action: in this case no conformant solution 
exists. We used the OMELETTE problems to test the ability of Cmbp and Gpt to discover 
that the problem admits no conformant solution. The results are reported in Table 10. The 
table shows that Cmbp is very effective in checking the absence of a conformant solution, 
and outperforms Gpt by several orders of magnitude. 





CMBP 


GPT 




# steps 


#BS/#BSH 


Time 


Time 


OMELETTE(3) 


9 


15 / 34 


0.020 


0.237 


OMELETTE(4) 


11 


19 / 42 


0.030 


0.582 


0\[ET,ETTE(5) 


13 


23 / 50 


0.010 


1. 118 


OAIELETTE(6) 


15 


27 / 58 


0.050 


2.904 


0MELETTE(7) 


17 


31 / 66 


0.060 


5.189 


0MELETTE(8) 


19 


35 / 74 


0.090 


10.307 


OMELETTE (9) 


21 


39 / 82 


0.110 


18.744 


OMELETTE(IO) 


23 


43 / 90 


0.120 


32.623 



0MELETTE(15) I 33 I 63 / 130 | 0.210 || 225.530 



OMELETTE(20) | 43 | 83 / 170 | 0.440 
OMELETTE(30) | 63 | 123 / 250 | 0.890 



Table 10: Results for the OMELETTE problems. 
7.3 Summarizing Remarks 

Overall, Cmbp appears to implement the most effective approach to conformant planning, 
both in terms of expressivity and performance. CoP is only able to deal with uncertainties 
in the initial states, and cannot conclude that the problem does not admit a conformant 
solution. The main problem in Ccp seems to be its enumerative approach to uncertainties, 
and the increased number of initial states severely affects the performance (see Table 3 and 
Table 6). 

Qbfplan is in principle able to deal with uncertain action effects, but cannot conclude 
that the problem does not admit a conformant solution. From the small number of ex- 

9. Consider also that the problems are increasingly more difficult (see for instance the plan length). 
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periments that we could perform, the approach implemented by Qbfplan is limited by 
the Satplan style of search: the intermediate results obtained while solving an encoding 
at depth k are not reused while solving encodings of increasing depth. Furthermore, the 
solver appears to be specialized in finding a model, rather than in proving unsatisfiability. 
However, the latter ability is needed in all encodings but the final one. 

Get is a very expressive system, which allows efficiently dealing with a wide class of 
planning problems. As far as conformant planning is concerned, it is as expressive as 
Cmbp. It allows dealing with uncertain action effects, and can conclude that a problem 
does not have a conformant solution. However, Cmbp appears to outperform Gpt in 
several respects. First, the behaviour of Gpt appears to be directly related to the number 
of possible outcomes in an action. Furthermore, the efficiency of Gpt depends on the 
effectiveness of the heuristic functions, which can be sometimes difficult to devise, and 
cannot help when the problem does not admit a solution. 

The main strength of Cmbp is its independence on the number of uncertainties, which 
is achieved with the use of symbolic techniques. Being fully symbolic, Cmbp does not 
exhibit the enumerative behaviour of its competitors. Compared to the original approach 
described by Cimatti and Roveri (1999), a substantial improvement of the performance 
has been obtained by the new implementation of the pruning step. A disclaimer is in 
order. It is well known that Bdd based computations are subject to a blow-up in memory 
requirements when computing certain classes of boolean functions, e.g. multipliers (Bryant, 
1986). It would be trivial to make up an example where the performance of Cmbp degrades 
exponentially. However, in none of the examples we considered, which included all the 
examples in the distribution of Cgp and Gpt, this phenomenon occurred. 

8. Other Related Work 

The term conformant planning was first introduced by Goldman (1996), while presenting a 
formalism for constructing conformant plans based on an extension of dynamic logic. Re- 
cently, Ferraris and Giunchiglia (2000) presented another conformant planner based on SAT 
techniques. The system is not available for a direct comparison with Cmbp. The effective- 
ness of the approach is difficult to evaluate, as only a limited testing is described (Ferraris Sz 
Giunchiglia, 2000). The performance is claimed to be comparable with Cgp. However, the 
results are reported only for the enconding corresponding to the solution, and the behaviour 
of Qbfplan reported in Table 2 suggests that this kind of analysis might be limited. 

Several works share the idea of planning based on automata theory. The most closely 
related are the works in the lines of planning via model checking (Cimatti et al., 1997), upon 
which our work is based. This approach allows, for instance, to automatically construct 
universal plans which are guaranteed to achieve the goal in a finite number of steps (Cimatti 
et al., 1998b), or which implement trial-and-error strategies (Cimatti et al., 1998a; Daniele 
et al., 1999). These results are obtained under the hypothesis of total observability, while 
here run-time observation is not available. The main difference is that a substantial ex- 
tension is required to lift symbolic techniques to search in the space of belief states. De 
Giacomo and Vardi (1999) analyze several forms of planning in the automata theoretic 
framework. Goldman, Musliner and Pelican (2000) present a method where model checking 
in timed automata is interleaved with the plan formation activity, to make sure that the 
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timing constraints are met. Finally, Hoey and his colleagues (1999) use algebraic decision 
diagrams to tackle the problem of stochastic planning. 

9. Conclusions and Future Work 

In this paper we presented a new approach to conformant planning, based on the use 
of Symbolic Model Checking techniques. The algorithm is very general, and applies to 
complex planning domains, with uncertainty in the initial condition and in action effects, 
which can be described as finite state automata. The algorithm is based on a breadth- 
first, backward search, and returns conformant plans of minimal length, if a solution to the 
planning problem exists. Otherwise, it terminates with failure. The algorithm is designed 
to take full advantage of the symbolic representation based on Bdds. The implementation 
of the approach in the Cmbp system has been highly optimized, in particular in the crucial 
step of termination checking. We performed an experimental comparison of our approach 
with the state of the art conformant planners Cgp, Qbfplan and Get. Cmbp is strictly 
more expressive than Qbfplan and Cgp. On all the problems for which a comparison 
was possible, Cmbp outperformed its competitors in terms of run times, sometimes by 
orders of magnitude. Thanks to the use of symbolic data structures, Cmbp is able to deal 
efficiently with problems with large numbers of initial states and action outcomes. On 
the other hand, the qualitative behavior of Cgp and Gpt seems to depend heavily on the 
enumerative nature of their algorithms. Differently from Gpt, Cmbp is independent of the 
effectiveness of the heuristic used to drive the search. 

The research presented in this paper will be extended in the following directions. First, 
we are investigating an alternative approach to conformant planning, where the breadth- 
first style of the search is given up. These techniques appear to be extremely promising — 
preliminary experiments have led to speed ups of up to two orders of magnitude over the 
results presented in this paper for problems which admit a solution. Second, we will tackle 
the problem of conditional planning under partial observability, under the hypothesis that 
a limited amount of information can be acquired at run time. As conformant planning, this 
problem can be seen as search in the belief space. However, it appears to be significantly 
complicated by the need for dealing with run-time observation and conditional plans. Fi- 
nally, we are considering the extension of the domain construction of the planner with more 
expressive input language, such as C, and invariant detection techniques. 
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